Security firm Airscanner released information about several weaknesses in Pocket Internet Explorer, the standard web browser that comes pre-installed on Windows Mobile Pocket PC and Smartphone devices.
These flaws can be used together to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker’s imagination. The research firm says that Pocket Internet Explorer is not as powerful as its big brother Internet Explorer, and as such, an attacker is limited in what techniques can be used to launch an attack.
The flaws involve Unicode URL obfuscation, access to local files, and <div> XSS tag. The most important is the first one, since this can mislead users to believe they are accessing a website when in fact the browser is being redirected to the attacker's domain. Local file access is not quite a flaw, since all browsers can read local files, but when combined with the Unicode URL obfuscation and the <div> XSS tag a script can be written that potentially can collect personal information.